Biometric Security Isn’t As Strong As You Think, Here’s Why


Prostock-studio /

Biometric authentication using your face or fingerprints is super convenient and feels futuristic and secure. However, that can be a false sense of security thanks to the weaknesses that biometric systems have. If you know what they are, you can use biometrics responsibly.

Your biometric data cannot be changed

The biggest problem with using your body measurements as an authentication system is that you can’t easily change them if that information is hacked. When your password information is inevitably leaked or decrypted, all you have to do is change your password and attackers are right back where they started.

If your biometric data is compromised, you can’t exactly change your fingerprints or iris patterns. That doesn’t mean your biometric data is ruined forever. It is possible to move to higher fidelity scanning systems that capture more detail than older systems.

People who create biometric security features have ways to hide your raw fingerprint, facial scans, iris images, and any other body parts you’ve scanned. By applying encryption methods that cannot be reversed without a key, it offers protection against traditional hacking.

The problem is that a dedicated attacker can always find a way to access your raw biometric data. Whether it’s through a data breach or physically taking your fingerprints off a soda can, where there’s a will, there’s a way!

May be forced to unlock biometric systems

3D rendering of a dark room for interrogation.

Let’s imagine that you have just landed at home after an international trip and you are stopped at customs. You hand over your phone for inspection, but it has a biometric lock on it, so there’s no way the customs agent can go through it, right? Without missing a beat, the agent turns his phone towards you and quickly unlocks it after seeing his face.

In situations where authorities can physically manipulate you, they can do the same thing with fingerprint scanners, forcibly placing your finger on the scanner.

You may not be worried about government authorities accessing your data using your biometrics, but what about criminals? The idea of ​​a criminal forcing their victims to unlock systems using biometrics should be off-putting to anyone.

We use our biometric data for the whole world to see, but access codes and passwords live in our heads. For now, there is no easy way to extract that. You can always “forget” your passcode or provide the wrong one enough times to wipe your device.

Biometrics has unique hacking opportunities

Each type of authentication system has its own unique opportunities for hacking. When it comes to biometrics, what hackers need to do is find some way to spoof or capture your biometric data. As technology advances, it becomes possible to capture biometric data without the victim knowing.

In 2017, scientists managed to extract fingerprint data from photographs taken at a distance of up to 3 meters. Smartphone cameras have come a long way since 2017 and modern phones could probably capture enough detail at longer distances, not to mention that most phones now have at least one telephoto camera.

Iris scans are also not safe. In 2015, a Carnegie Mellon professor detailed how long-range iris scanning might work. A technology that can scan someone’s irises while looking in a rearview mirror or from across a room.

These are just two examples, the principle is that current biometric data is always at risk of being captured and replicated. The same goes for future biometric data, such as deleted DNA combined with DNA “imprinting” as one possible example.

How to use biometrics responsibly

The weaknesses of biometric authentication don’t mean you shouldn’t use it at all. However, it’s not a great idea to have really sensitive information behind a biometric padlock. It is better to use MFA (multi-factor authentication) for highly sensitive data or applications that do not include biometric data or only have it as a single factor.

You can also have a secure vault on your mobile devices that need another layer of authentication. Samsung’s Secure Folder feature is a good example of this.

Finally, most devices that offer biometric authentication also offer a biometric “kill switch.” This is a shortcut or action you can take to instantly disable biometrics. For example, you can say “Hey Siri, whose phone is this?” to your iPhone and the phone will immediately return to password authentication.

It’s a good idea to look up the biometric equivalent of auto switch for the devices you use so you can use them if the need ever arises.

RELATED: What is a physical kill switch and does your PC need one?